istio.io/istio@v0.0.0-20240520182934-d79c90f27776/tests/integration/security/testdata/authz/plaintext.yaml.tmpl (about)

     1  # This configures all services within the namespace to use mTLS with permissive mode (allowing plaintext).
     2  
     3  apiVersion: security.istio.io/v1beta1
     4  kind: PeerAuthentication
     5  metadata:
     6    name: ns-default
     7    namespace: {{ .To.NamespaceName }}
     8  spec:
     9    mtls:
    10      mode: PERMISSIVE
    11  
    12  ---
    13  # This configures requests to any service in the namespace to use mTLS.
    14  
    15  apiVersion: networking.istio.io/v1beta1
    16  kind: DestinationRule
    17  metadata:
    18    name: default
    19    namespace: {{ .To.NamespaceName }}
    20  spec:
    21    host: "*.{{ .To.NamespaceName }}.svc.cluster.local"
    22    trafficPolicy:
    23      tls:
    24        mode: ISTIO_MUTUAL
    25  
    26  ---
    27  # This authz policy denies access to the service if the request was not mTLS, since
    28  # mTLS is required in order to match source principals.
    29  
    30  apiVersion: security.istio.io/v1beta1
    31  kind: AuthorizationPolicy
    32  metadata:
    33    name: {{ .To.ServiceName }}
    34    namespace: {{ .To.NamespaceName }}
    35  spec:
    36    selector:
    37      matchLabels:
    38        "app": "{{ .To.ServiceName }}"
    39    action: DENY
    40    rules:
    41      - from:
    42          - source:
    43              notPrincipals: [ "*" ]
    44  
    45  ---
    46  # This configures plaintext for the "To" service from any workload in the namespace.
    47  
    48  apiVersion: networking.istio.io/v1beta1
    49  kind: DestinationRule
    50  metadata:
    51    name: {{ .To.ServiceName }}
    52    namespace: {{ .Denied.NamespaceName }}
    53  spec:
    54    host: "{{ .To.ClusterLocalFQDN }}"
    55    trafficPolicy:
    56      tls:
    57        mode: DISABLE